Token-based authentication for network connection

ABSTRACT

A token based system for authenticating a client computer when it connects to a network. An address is requested from a server connected to the network. Provision of the address by the server triggers the server to look for a token on the client computer. If no token is found steps, such as revoking the address, can be taken. This enables a system administrator to control what machines can connect to the network, for example, it may allow only those having specified anti-virus software.

BACKGROUND OF THE INVENTION

[0001] 1. Field of the Invention

[0002] This invention relates to the field of data processing systems.More particularly, this invention relates to data processing systems inwhich a plurality of machines are connected together via a network.

[0003] 2. Description of the Prior Art

[0004] In many known computer networks, a person wishing to connect tosuch a network makes a DHCP (dynamic host configuration protocol)request for an IP address to any of the network's DHCP servers. The DHCPserver leases IP addresses to machines on demand. The IP address leasedis based on the range that is configured within the DHCP serversettings. For example, an IP address may be made up of four elements,three of the elements being used to represent a particular officelocation, so that the router can tell where the machine is, and thefourth element distinguishing the actual machine from the othermachines. Thus, in this example there would potentially be 256 possibleaddresses per office. In reality, some of these addresses may bereserved and used exclusively for a particular task, a gateway (such asa router), for example, could always end in a .252 address and a DHCPserver could always end with a .10 address. The remaining addresses areallocated on demand to machines wishing to connect to the network.

[0005] On receipt of an IP address request the DHCP server replies byasking the machine making the request its name. If it has a namecorresponding to an IP address that no other machine is using atpresent, then the DHCP server gives this IP address back to the machine,if not, an unused addresses is allocated. The DHCP server leases theseIP addresses and when a machine disconnects from the network, theaddress is “given back” to the DHCP server so that it can be allocatedto another machine trying to connect to the network.

[0006] In this known system, the DHCP server does not make any check onthe user credentials at the time of the request, the responsibility ofauthentication is left to the network operating systems.

[0007] A current process of authenticating a user within, for example,the Microsoft™ NT Networking design does not allow an administrator tovalidate “what or who” has access to the network, it rather controlsaccess to network resources. For example, a third party consultant witha laptop computer can simply request an IP address from a DHCP server onthe network, and be provided with an address based on the networklocation to which the request came. Of course, once an IP address hasbeen provided to the consultant he/she can now attempt to ‘logon’ to thenetwork in the traditional way. Our consultant may not know of a useraccount to authenticate to the network, and proceeds to connect to thenetwork by logging into the laptop locally. Even though the consultanthas no access to network resources he/she is still capable of ‘sniffing’(packet capturing) data from the corporate network, and can also connectto resources which require ‘null’ access (null session shares etc.).

SUMMARY OF THE INVENTION

[0008] Viewed from one aspect the present invention provides, a computerprogram product comprising a computer program operable to control aserver computer, said computer program comprising: (i) address provisionlogic operable to control said server computer to provide an address foraccessing a network to a client computer, in response to a request foran address from said client computer; (ii) token validation logicoperable in response to said provision of said address to control saidserver computer to contact said client computer at said address and todetect a presence of a predefined token on said client computer.

[0009] Thus, the provision of an address triggers the server computer tocheck for a token on the client computer. The server computer istherefore able to make a check on what or who is connected to thenetwork at the point of address provision. This means that the networkis able to perform machine validation, for example, at the initial pointof contact between a machine and a network. This is an extremelypowerful tool for providing network administrators with access control.Once an administrator knows that a new machine has connected to thenetwork then something can be done about it. Finding unknown machines isa difficult and tedious task that otherwise would need to be undertakenoften.

[0010] Preferably, said token validation logic is operable to controlsaid server computer to check whether said detected predefined token isvalid.

[0011] Thus, in addition to confirming the presence of a token, theproperties of a token can be monitored to see if it is valid or not.Thus, information such as an expiry date or a version number can becarried on the token thereby providing more sophisticated accesscontrol.

[0012] In some embodiments, the token validation logic is operable tocontrol said server computer to revoke said address from said clientcomputer if said token is not detected or is not valid, alternatively oradditionally said token validation logic is operable to control saidserver computer to record machine data from said client computer if saidtoken is not detected and/ or to signal to said client computer thataccess has been denied if said token is not detected.

[0013] The absence of a token on the client computer can trigger theserver computer to perform different tasks. For example the address canbe revoked, thereby preventing any further communication between theclient computer and the network; machine data can be recorded from theclient computer so that the network administrator can be made aware ofthe nature of the machine trying to connect to the network; and ifaccess is to be denied, this can be signalled to the client computer.

[0014] In some embodiments, said predefined token indicates the presenceof software allowing remote configuration of said client computer and inpreferred embodiments if said token is not detected said tokenvalidation logic is operable to control said server computer to installsaid remote configuration software on said client computer.

[0015] The presence of such software allows the operator to standardisethe configuration of the client computer to be compatible with networkstandards, for example, to have the required anti-virus software presenton the machine. The ability to install such software if it is notpresent allows machines that would otherwise not be permitted to connectto the network, to be connected thereto.

[0016] In some embodiments, said predefined token indicates the presenceof antivirus software on said client computer. The use of such a tokenenables a network to stop any machine not protected by anti-virussoftware from connecting to the network, or in other embodiments, itallows the operator to be notified of the presence of the machine.

[0017] In some embodiments, said server computer comprises a DHCP serverand said address comprises an IP address.

[0018] In most network systems, any new machine wishing to connect tothe network must request an IP address from a DHCP server, thus, byproviding a DHCP server with a computer program product according to anembodiment of the invention any new machine wishing to access thenetwork can be checked for the presence of a token.

[0019] In other embodiments, said address provision logic is operable tocontrol said server computer to request an address from a further servercomputer and to provide said address to said client computer,preferably, said further server computer is a DHCP server and saidaddress comprises an IP address.

[0020] Thus, a further server can act to intercept any address requestby a client and it can make the request itself, pass on the address andperform a check for a token. This enables the token check to beperformed without any change being made to any DHCP server.

[0021] The predefined token can comprise almost anything, for example,it may comprise a computer file or files, a smart card, or dataidentifying a hardware component of said client computer.

[0022] Further aspects of the present invention are set out in theappended claims.

[0023] The above, and other objects, features and advantages of thisinvention will be apparent from the following detailed description ofillustrative embodiments which is to be read in connection with theaccompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

[0024]FIG. 1 schematically illustrates an example of a computer network;

[0025]FIG. 2 is a flow diagram showing schematically the stepsundertaken when a machine connects to a network according to anembodiment of the invention;

[0026]FIG. 3 is a flow diagram showing schematically a networkauthenticator intercepting and processing a request for a networkconnection; and

[0027]FIG. 4 schematically illustrates a general purpose computer of atype that may be used for performing scanning operations.

[0028]FIG. 1 illustrates a computer network 2 including a DHCP server 4,a plurality of client computers 8, 10, 12 and a plurality of rackmounted appliance computers 14. A local area network 16 connects thesecomputers.

[0029]FIG. 2 shows the process according to an embodiment of theinvention that occurs when a client computer 8, 10, 12 of FIG. 1requests connection to the network, by requesting an IP address from theDHCP server 4. On receipt of the request the DHCP server sends an IPaddress to the client computer. The sending of this address triggerssoftware on the DHCP server to start a process whereby the clientcomputer is accessed in order to look for the presence of a predefinedtoken. This is done by a call to the ePO server service on the clientcomputer. If the token is located then this triggers the process to end.If the token cannot be found, then the process acts to revoke the IPaddress and thus, access to the network is denied.

[0030] In other embodiments, in addition to locating the token, detailsof the token, such as an expiry date, or version number can be read andchecked against stored data, so that the token can be validated.

[0031] In the embodiment of FIG. 2 if the token is not found, then theIP address is revoked. If there is an additional verification step, tocheck predefined properties of the token, clearly the absence of atleast some of these properties would also result in the revocation ofthe IP address. In other embodiments, the IP address need not be revokedin response to the token not being found or not being valid, insteadand/or additionally, the details of the client machine may be recordedand notified to the system administrator or other specified steps mayoccur.

[0032]FIG. 3 is a flow diagram showing an alternative embodiment. Inthis embodiment any IP request to a particular network's DHCP server(s)is intercepted by a “network access authenticator”. This network accessauthenticator, may reside on the DHCP server itself or it may be onanother server linked with the DHCP server via the network. Theauthenticator then itself requests an IP address from the DHCP serverand on receiving the address, it passes it on to the client computer.The network access authenticator, then acts to check for the presence ofa token on the client computer.

[0033] In one embodiment the token is the ePolicy Orchestrator agentwhich indicates the presence of McAfee anti virus software. This ePolicyOrchestrator agent uses a 64 bit PGP signature and it is this that ischecked for. Thus, by checking for this token the network is able toensure that no machine that is not suitably protected from viruses isallowed to connect to the network. If the software is found, then theprocess ends. If it is not found, then the network access authenticatorattempts to install it on the client computer, this starts the processof that machine being protected. If it cannot install it then it createsan entry in the ePO tree (logged) of an “unmanaged machine”, and itpasses the IP address, user, domain and machine name to the operator.Alternatively, the network access authenticator may simply act to revokethe IP address and deny network access to the client computer.

[0034]FIG. 4 illustrates a general purpose computer 200 of the type thatmay be used to perform the above described techniques. The generalpurpose computer 200 includes a central processing unit 202, a read onlymemory 204, a random access memory 206, a hard disk drive 208, a displaydriver 210 with attached display 211, a user input/output circuit 212with attached keyboard 213 and mouse 215, a network card 214 connectedto a network connection and a PC computer on a card 218 all connected toa common system bus 216. In operation, the central processing unit 202executes a computer program that may be stored within the read onlymemory 204, the random access memory 206, the hard disk drive 208 ordownloaded over the network card 214. Results of this processing may bedisplayed on the display 211 via the display driver 210. User inputs fortriggering and controlling the processing are received via the userinput/output circuit 212 from the keyboard 213 and mouse 215. Thecentral processing unit 202 may use the random access 206 as its workingmemory. A computer program may be loaded into the computer 200 via arecording medium such as a floppy disk drive or compact disk.Alternatively, the computer program may be loaded in via the networkcard 214 from a remote storage drive. The PC on a card 218 may compriseits own essentially independent computer with its own working memory,CPU and other control circuitry that can co-operate with the otherelements in FIG. 4 via the system bus 216. The system bus 216 is acomparatively high bandwidth connection allowing rapid and efficientcommunication.

[0035] Although illustrative embodiments of the invention have beendescribed in detail herein with reference to the accompanying drawings,it is to be understood that the invention is not limited to thoseprecise embodiments, and that various changes and modifications can beeffected therein by one skilled in the art without departing from thescope and spirit of the invention as defined by the appended claims.

I claim
 1. A computer program product comprising a computer programoperable to control a server computer, said computer program comprising:(i) address provision logic operable to control said server computer toprovide an address for accessing a network to a client computer, inresponse to a request for an address from said client computer; (ii)token validation logic operable in response to said provision of saidaddress to control said server computer to contact said client computerat said address and to detect a presence of a predefined token on saidclient computer.
 2. A computer program product as claimed in claim 1,wherein said token validation logic is operable to control said servercomputer to check whether said detected predefined token is valid.
 3. Acomputer program product as claimed in claim 2, wherein said tokenvalidation logic is operable to control said server computer to revokesaid address from said client computer if said token is not detected oris not valid.
 4. A computer program product as claimed in claim 1,wherein said token validation logic is operable to control said servercomputer to record machine data from said client computer if said tokenis not detected.
 5. A computer program product as claimed in claim 1,wherein said token validation logic is operable to control said servercomputer to signal to said client computer that access has been deniedif said token is not detected.
 6. A computer program product as claimedin claim 1, wherein said predefined token indicates the presence ofsoftware allowing remote configuration of said client computer.
 7. Acomputer program product as claimed in claim 6, wherein said tokenvalidation logic is operable to control said server computer to installsaid remote configuration software on said client computer if said tokenis not detected.
 8. A computer program product as claimed in claim 1,wherein said predefined token indicates the presence of anti virussoftware on said client computer.
 9. A computer program product asclaimed in claim 1, wherein said server computer comprises a DHCP serverand said address comprises an IP address.
 10. A computer program productas claimed in claim 1, wherein said address provision logic is operableto control said server computer to request an address from a furtherserver computer and to provide said address to said client computer. 11.A computer program product as claimed in claim 11, wherein said furtherserver computer is a DHCP server and said address comprises an IPaddress.
 12. A computer program product as claimed in claim 1, whereinsaid predefined token comprises a computer file or files.
 13. A computerprogram product as claimed in claim 1, wherein said predefined tokencomprises a smart card.
 14. A computer program product as claimed inclaim 1, wherein said predefined token comprises data identifying ahardware component of said client computer.
 15. A method of controllinga server computer, said method comprising the following steps: (i)providing an address for accessing a network from said server computerto a client computer, in response to a request for an address from saidclient computer; (ii) in response to said provision of said address,contacting said client computer with said server computer at saidaddress and detecting a presence of a predefined token on said clientcomputer.
 16. A method of controlling a server computer as claimed inclaim 15, said method further comprising the step of checking whethersaid detected predefined token is valid.
 17. A method of controlling aserver computer as claimed in claim 15, said method further comprisingthe step of revoking said address from said client computer if saidtoken is not detected or is not valid.
 18. A method of controlling aserver computer as claimed in claim 15, said method further comprisingthe step of recording machine data on said server computer from saidclient computer if said token is not detected.
 19. A method ofcontrolling a server computer as claimed in claim 15, said methodfurther comprising the step of signalling from said server computer tosaid client computer that access has been denied if said token is notdetected.
 20. A method of controlling a server computer as claimed inclaim 15, wherein said predefined token indicates the presence ofsoftware allowing remote configuration of said client computer.
 21. Amethod of controlling a server computer as claimed in claim 20 saidmethod further comprising the step of installing said remoteconfiguration software on said client computer if said token is notdetected.
 22. A method of controlling a server computer as claimed inclaim 15, wherein said predefined token indicates the presence of antivirus software on said client computer.
 23. A method of controlling aserver computer as claimed in claim 15, wherein said server computercomprises a DHCP server and said address comprises an IP address.
 24. Amethod of controlling a server computer as claimed in claim 15, saidmethod further comprising the step of requesting an address from afurther server computer and providing said address to said clientcomputer.
 25. A method of controlling a server computer as claimed inclaim 24, wherein said further server computer is a DHCP server and saidaddress comprises an IP address.
 26. A method of controlling a servercomputer as claimed in claim 15, wherein said predefined token comprisesa computer file or files.
 27. A method of controlling a server computeras claimed in claim 15, wherein said predefined token comprises a smartcard.
 28. A method of controlling a server computer as claimed in claim15, wherein said predefined token comprises data identifying a hardwarecomponent of said client computer.
 29. A server computer comprising: anaddress provider operable to provide an address for accessing a networkto a client computer, in response to a request for an address from saidclient computer; a token validator operable in response to saidprovision of said address to contact said client computer at saidaddress and to detect a presence of a predefined token on said clientcomputer.
 30. A server computer according to claim 29, wherein saidtoken validator is operable to control said server computer to checkwhether said detected predefined token is valid.
 31. A server computeraccording to claim 30, wherein said token validator is operable torevoke said address from said client computer if said token is notdetected or is not valid.
 32. A server computer according to claim 29,wherein said token validator is operable to record machine data fromsaid client computer if said token is not detected.
 33. A servercomputer according to claim 29, wherein said token validator is operableto signal to said client computer that access has been denied if saidtoken is not detected.
 34. A server computer according to claim 29,wherein said predefined token indicates the presence of softwareallowing remote configuration of said client computer.
 35. A servercomputer according to claim 34, wherein said token validator is operableto install said remote configuration software on said client computer ifsaid token is not detected.
 36. A server computer according to claim 29,wherein said predefined token indicates the presence of anti virussoftware on said client computer.
 37. A server computer according toclaim 29, wherein said server computer comprises a DHCP server and saidaddress comprises an IP address.
 38. A server computer according toclaim 29, wherein said address provider is operable to request anaddress from a further server computer and to provide said address tosaid client computer.
 39. A server computer according to claim 38,wherein said further server computer is a DHCP server and said addresscomprises an IP address.
 40. A server computer according to claim 29,wherein said predefined token comprises a computer file or files.
 41. Aserver computer according to claim 29, wherein said predefined tokencomprises a smart card.
 42. A server computer according to claim 29,wherein said predefined token comprises data identifying a hardwarecomponent of said client computer.
 43. A method of requesting an addressfrom a server computer for a client computer, comprising the steps of:requesting an address from said server computer, receiving an addressfrom said server computer; receiving a token validation request fromsaid server computer; transmitting details of any token stored on saidclient computer to said server computer.
 44. A method as claimed inclaim 43, said method further comprising the step of transmittingmachine data about said client computer to said server computer inresponse to a request for said data from said server computer.
 45. Amethod as claimed in claim 43, wherein said predefined token indicatesthe presence of software on said client computer allowing remoteconfiguration of said client computer.
 46. A method as claimed in claim45, said method further comprising the step of installing said remoteconfiguration software on said client computer from said server computerin response to said server computer not detecting said token.
 47. Amethod as claimed in claim 43, wherein said predefined token indicatesthe presence of anti virus software on said client computer.
 48. Amethod as claimed in claim 43, wherein said server computer comprises aDHCP server and said address comprises an IP address.
 49. A method asclaimed in claim 43, wherein said predefined token comprises a computerfile or files.
 50. A method as claimed in claim 43, wherein saidpredefined token comprises a smart card.
 51. A method as claimed inclaim 43, wherein said predefined token comprises data identifying ahardware component of said client computer.